Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
poor little darl..... :)
. . . that's just the slashdot effect. . .
Great! now they get headlines simply by *not* lying
.... where did the synflood come from?
Jaysyn
There is a war going on for your mind.
Ha-ha!
Quick! Someone start knitting Satan a sweater!
libertarianswag.com
Oops, oh well. SCO still sucks.
The only result of this kind of attack will be tarnishing of the image of Open source developers. But, there is nothing much anyone can do about it.
New year Resolution: Don't change sig this year
SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?
If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
WWJD?
JWRTFM!
Well I guess the lying or incompetent question has been settled.
You say
It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".
Stay tuned for new sig...
Or to put it another way, they weren't lying, they're just stupid?
Serve Gonk.
...SCO Must Prove Existence Of Santa Claus in Thirty Days
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Everyone gets DoS'd, they should be happy it stopped.
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
Drill baby drill - on Mars
CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.
Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
SCO was hit with a 50,000 packet-per-second SYN flood peak
...
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
The attack was just short of half a DS3 Line.
DS3 Line = 44.736Mbps for those of you who need a definition
-Certified TechnoWeinie
No.
DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.
If you need web hosting, you could do worse than here
For the mathematically challenged:
20mbit up + 20mbit down = 40mbit
Or 20mbit x 2 = 40mbit
20mbit comes into to SCO web server a second
20mbit goes out of SCO web server a second
Now, how much traffic was there in that second?
I'm not sure I can make it any clearer.
eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
Did you just call SCO a legitimate business? *Backs away very slowly*
Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels.
DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.
Conformity is the jailer of freedom and enemy of growth. -JFK
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
Provided that the bandwidth to the load balancer did not get saturated in the DDoS, and the attack was targetted at a specific IP then it is perfectly possible for adjacent IPs to be fine. I and several others pointed this out as a possibility out in the original story and either got modded to oblivion or called idiots for it. C'est la vie.
UNIX? They're not even circumcised! Savages!
It also doesn't explain why the NetCraft stats show their connection going dead like a switch was flipped.
Even with a SYN flood, there should have been a ramp up period of increasing latency, not an "on/off" situation.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.
Maybe we deserve this world ?
Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.
"Sufferin' succotash."
Ummm. No. A DS3 (or T3, or T1 for that matter) is full-duplex. A DS3 supports up to 45 megabits/second in BOTH directions. Read your own link a little more closely... "A DS3 is capable of moving over 5.5 Megabytes per second (45Mbps) in one direction - ***twice that when upload and download performance are combined***."
and even then, only paid them with an I.O.U. -- to be payable if they win against IBM ...
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
And just what do these childish OS hackers expect to gain from this? It is not like it is going to change anything. Yes they are suing people using Linux. But thats one of the problems with open source. If there is a legal issue with the code then its your problem. That is one of the great things about microsoft. At least when you are using their software, you know that you will have microsofts army of lawers to defend any legal issues there may be with the code. Which is cheaper, buying windows, or spending months in trial?
My ass they will. If I can prove with out a shadow of a doubt that Microsoft has included my patented and copyrighted code in Office 2003, and I start suing end users (you) directly for it, do you honestly believe that Microsoft is going to come defend you?
The only thing Microsoft will defend is themselves and their revenue stream.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Actualy, what bothers me is:
They tracked SCO was sending OUT X million responses to DoS attack. They should track packages that go IN too. Or,... they were originating from inside and faking outside which is not hard to do???
Please somebody start a site with HOWTO - SYN PROTECTION FOR SCO or HOWTO MAKE A SIMPLE FIREWALL
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.
And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.
Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.
The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed
Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P
So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.
If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack?
First of all, they didn't say their entire DS3 was saturated. They said the bandwidth of the attack was enough to saturate a DS3.
Secondly, why not? When you're downloading 100 different files at the same time you can still use the internet, right? Packets will get dropped, but the internet can handle packets getting dropped. See, there's this thing called TCP which is a protocol on top of the IP layer and handles connections when packets are being dropped.
Oh never fear I have a mirror up whats the big deal
MoFscker
DS3 is ~45Mbit/sec bi-directional
(so 20 is about 44% utilized)
Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?
UNIX? They're not even circumcised! Savages!
"I didnt do it.. no body saw me do it ..can't prove anything /me ducks
.
.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
That is what one gets when one keeps crying wolf!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
All data is speech. All speech is Free.
I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.
p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html
Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept
With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.
http://www.cisco.com/en/US/products/sw/secursw/
This claim from netcraft bugged me since the first time I read it when it was linked to the last sco story. Let's spend some time debunking it.
Let us assume that the resolution of netcrafts measurements has a resolution of 1 minute, hell, make it 10 seconds. How long do you think it takes for an average zombie machine to start churning out syn packets at full speed? I'd say after maybe a second or two, and I'm being generous. There's a >90% chance the zombies are all recieving commands through IRC or a similar set-up, this adds maybe 2 to 3 seconds to the response time. All in all it's fair to assume that within 5 seconds of the attackers push of the button all zombies will be spewing syn packets at their maximum rate.
So in conclusion; Any attacker with a sufficient amount of zombies can push an amount of traffic into any network enough to saturate its bandwidth contraints within a mere *5* seconds. There is no reason *at all* why an attack like this should always look like a slow (1 - 10 minute) degradation of network performance, it can be done close to instantanious.
Of course depending on your relation with your backbone provider you can always try to block it higher-up. Although, don't be surprised when some attackers actually saturate gigabit links...
-- Witty saying #52; 404: file not found
That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."
Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."
To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.
Good job, guys.
// TODO: Insert Cool Sig
T1 stands for Trunk Level 1 and is a digital transmission link with a total signaling speed of 1.544Mbps. T-1 is a standard for digital transmission in North America (USA & Canada). T-1 is part of a progression of digital transmission pipes - a hierarchy known generically as the DS (Digital Signal Level) hierarchy.
T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.
The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.
**most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.
That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?
and Daryl wouldn't lie either.
Professional Politicians are not the solution, they ARE the problem.
The "attack" did not come from any open-source symphasizers.
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
This is so obvious it's not even funny.
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.
:)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic
Maybe what it really means is Denial of Settlement.